afY ddlZddlZddlZddlZddlZddlZddlZddlZddlm Z m Z ddl m Z ddl m ZddlmZddlmZddlmZddlmZ dd lmZdd lmZdd lmZd Zn #e$rd ZYnwxYwdZdZ Gdde!Z"ej#e"Gdde"Z$ej#e$Gdde!Z%ej#e%Gdde!Z&ej#e&Gdde&Z'ej#e'dZ(dZ)Gdde!Z*ej#e*Gdde!Z+ej#e+e d2d!Z,e d3d"Z-e d#Z.e d$Z/e d4d'Z0e d5d(Z1d)Z2 e d6d+Z3e d,Z4d7d-e5d.e5d/e e6d0e fd1Z7dS)8N)OptionalDict)public)xor)IAuthenticator) PBKDF2HMAC)hashes)default_backend hash_secretType)saslprepTF) AuthAnonymous AuthScramAuthCryptoSign AuthWampCra AuthTicketcreate_authenticatorpbkdf2generate_totp_secret compute_totp check_totpqrcode_from_totp derive_key generate_wcs compute_wcsderive_scram_credentialc x tjttjttjttjtt jt t jt tjti|}n0#t$r#td |wxYw|di|}|S)a Accepts various keys and values to configure an authenticator. The valid keys depend on the kind of authenticator but all can understand: `authextra`, `authid` and `authrole` :return: an instance implementing IAuthenticator with the given configuration. zUnknown authenticator '{}') rnamerAuthCryptoSignProxyrrAuthAnonymousProxyrKeyError ValueErrorformat)r!kwargsklass authenticators D/var/www/html/env/lib/python3.11/site-packages/autobahn/wamp/auth.pyrrKs  NI    $&9  k    #%7 OZ       ( / / 5 5    EOOFOOM s A?B-B/c:eZdZdZdZedZdZdZdS)r anonymousc ||_dSN)_argsselfkws r*__init__zAuthAnonymous.__init__ks  cP|jdtSN authextrar/getdictr1s r*r7zAuthAnonymous.authextranz~~k466222r4c td)Nz/on_challenge called on anonymous authentication) RuntimeErrorr1session challenges r* on_challengezAuthAnonymous.on_challengers =   r4cdSr.r r1msgr7s r* on_welcomezAuthAnonymous.on_welcomewtr4N __name__ __module__ __qualname__r!r3propertyr7rBrFr r4r*rrhsa D33X3   r4rceZdZdZdS)r#zanonymous-proxyNrIrJrKr!r r4r*r#r#~s DDDr4r#c:eZdZdZdZedZdZdZdS)rticketc ||_ |jd|_dS#t$rt dwxYw)NrPz.ticket authentication requires 'ticket=' kwarg)r/pop_ticketr$r%r0s r*r3zAuthTicket.__init__sW  :>>(33DLLL   @  s *AcP|jdtSr6r8r;s r*r7zAuthTicket.authextrar<r4c*|jdksJ|jS)NrP)methodrSr?s r*rBzAuthTicket.on_challenges8++++|r4cdSr.r rDs r*rFzAuthTicket.on_welcomerGr4NrHr r4r*rrsa D33X3r4rc:eZdZdZdZedZdZdZdS)r cryptosignc ,|D]3}|dvr-td||jj4dD](}||vr"td|)ddlm}|tj |d|_ d| d tvr;|d d}||j krtd nG| d t|d <|j |d d<| d t d d|_||_dS) N)r7authidauthroleprivkeyUnexpected key '{}' for {})r]z Must provide '{}' for cryptosignr) CryptosignKeyr]pubkeyr7z,Public key doesn't correspond to private keychannel_binding)keysr%r& __class__rIautobahn.wamp.cryptosignr_ from_bytesbinasciia2b_hex_privkeyr9r: public_key_channel_bindingr/)r1r2keyr_r`s r*r3zAuthCryptoSign.__init__s7799  CHHH 077T^=TUUI  C"}} 6==cBB ;:::::%00  R ] + +    rvvk46622 2 2 _X.F113333 B4 !ff[$&&99B{O(, (@(@(B(BB{OH % "{DFF ; ; ? ?@QSW X X r4cP|jdtSr6r8r;s r*r7zAuthCryptoSign.authextrar<r4c|jjj|jd}|j|||jS)N) channel_idchannel_id_type) _transporttransport_detailsrnr9rjrhsign_challenge)r1r@rArns r*rBzAuthCryptoSign.on_challengesQ'9DHHI^`dee }++I7A<@33X3SSS r4rceZdZdZdS)r"zcryptosign-proxyNrNr r4r*r"r"s DDDr4r"c t|tj|||ddtjd}|d\}}}}} } | S)z Internal helper. Returns the salted/hashed password using the argon2id-13 algorithm. The return value is base64-encoded.  secretsalt time_cost memory_cost parallelismhash_lentypeversion$)r base64 b64decoderIDsplit) passwordr{ iterationsmemoryrawhash_tagveroptions salt_data hash_datas r*_hash_argon2id13_secretrsc   d # # W   G29t1D1D.AsC)Y r4c(t|||dS)z2 Internal helper for SCRAM authentication rw)keylen)r)rr{rs r*_hash_pbkdf2_secretrs (D*R 8 8 88r4c>eZdZdZdZdZedZdZdZ dS)rz Implements "wamp-scram" authentication for components. NOTE: This is a prototype of a draft spec; see https://github.com/wamp-proto/wamp-proto/issues/135 scramc Ntstd||_d|_dS)Nz^Cannot support WAMP-SCRAM without argon2_cffi and passlib libraries; install autobahn['scram']) HAS_ARGONr>r/ _client_noncer0s r*r3zAuthScram.__init__s8 ?  !r4c|j>tjtjdd|_d|jiS)Nasciinonce)rr b64encodeosurandomdecoder;s r*r7zAuthScram.authextra sH   %!'!1"*R..!A!A!H!H!Q!QD  T'  r4c|jdksJ|jJgd}ddg}|D]-}||jvr"td|.|jD]+}|||zvr"td|,|jdd}|jd}|jd }t |jd } t |jdd } |jd d } t|jd} |jd} |j}dd| |d||| d||d|_ | dkr-| d krtdt| || | |_ n?| dkrt| || |_ n"td| tj|j dt"j}t#jd|}tj||j t"j}t)||}t+j|S)Nr)rkdfr{rrraz?WAMP-SCRAM challenge option '{}' is required but not specifiedz/WAMP-SCRAM challenge has unknown attribute '{}'rr{rrutf8r[rz:{client_first_bare},{server_first},{client_final_no_proof}z n={},r={}zr={},s={},i={}z c={},r={})client_first_bare server_firstclient_final_no_proofr argon2id-13z>WAMP-SCRAM 'argon2id-13' challenge requires 'memory' parameterrz%WAMP-SCRAM specified unknown KDF '{}' Client Keysha256)rVrextrar>r&r9intr/encoder _auth_messager%r_salted_passwordrhmacnewhashlibrdigest xor_arrayrr)r1r@rA required_args optional_argskra server_noncer{rrrr[ algorithm client_nonce client_key stored_keyclient_signature client_proofs r*rBzAuthScram.on_challenges7****!--->>> !#45   A ''"228&))(   A 555"ELLQOO6 $/--.?DD w/ v&677 Y_((26677:j)0088$*X.//OE* )  I O O"-"4"4V\"J"J-44\4TT&1&8&8,&W&W P   &//   % %|| T%>yII Xd3]GNSSZZ\\ [:66==?? 8J0BGNSSZZ\\ -=>>  ---r4ctj|d}tj|jdt j}tj||jt j}tj ||s|j ddS|j ddS)a When the server is satisfied, it sends a 'WELCOME' message. This hook allows us an opportunity to deny the session right before it gets set up -- we check the server-signature thus authorizing the server and if it fails we drop the connection. scram_server_signature Server Keyz-Verification of server SCRAM signature failedz1Verification of server SCRAM signature successfulN) rrrrrrrrrcompare_digestlogerrorinfo)r1r@r7alleged_server_sig server_keyserver_signatures r*rFzAuthScram.on_welcomeJs$-i8P.QRRXd3]GNSSZZ\\ 8J0BGNSSZZ\\"#35GHH C K  M N N NBB  ?   tr4N) rIrJrK__doc__r!r3rLr7rBrFr r4r*rrsn D"""  X 6.6.6.pr4rc:eZdZdZdZedZdZdZdS)rwampcrac |D]3}|dvr-td||jj4dD](}||vr"td|)||_|d|_t|jts!|j d|_dSdS)N)r7r[r\rzr^)rzr[zMust provide '{}' for wampcrarzr) rbr%r&rcrIr/rR_secret isinstancestrr)r1r2rks r*r3zAuthWampCra.__init__ds7799  CGGG 077T^=TUUH(  C"}} 3::3??  vvh'' $,,, 7<..v66DLLL 7 7r4cP|jdtSr6r8r;s r*r7zAuthWampCra.authextravr<r4c4|jd}d|jvr3t||jd|jd|jd}t ||jdd}|dS)Nrr{rrrAr)rrrrrr)r1r@rArk signatures r*rBzAuthWampCra.on_challengezsl!!&)) Y_ $ $' -) C  OK ( / / 7 7  (((r4cdSr.r rDs r*rFzAuthWampCra.on_welcomerGr4NrHr r4r*rrasa D777$33X3))) r4r ct|tksJtjt j|dS)a Generates a new Base32 encoded, random secret. .. seealso:: http://en.wikipedia.org/wiki/Base32 :param length: The length of the entropy used to generate the secret. :type length: int :returns: The generated secret in Base32 (letters ``A-Z`` and digits ``2-7``). The length of the generated secret is ``length * 8 / 5`` octets. :rtype: unicode r)rrr b32encoderrrlengths r*rrsD <<3      BJv.. / / 6 6w ? ??r4cBt|tksJt|tksJ tj|}n#t $rt dwxYw|ttjdzz}tj d|}tj ||tj }d|dz}tjd|||dzdd zd z}d |S) aF Computes the current TOTP code. :param secret: Base32 encoded secret. :type secret: unicode :param offset: Time offset (in steps, use eg -1, 0, +1 for compliance with RFC6238) for which to compute TOTP. :type offset: int :returns: TOTP for current time (+/- offset). :rtype: unicode zinvalid secretz>Qrxz>Irii@Bz{0:06d})rrrr b32decode TypeError Exceptiontimestructpackrrrsha1runpackr&)rzoffsetrkintervalrErotokens r*rrs <<3     <<3    *v&& ***()))*DIKK((B..H +dH % %C Xc3 - - 4 4 6 6F fRjA ]4!a% 1 1! 4z AW LE   E " ""s A A%c>dD]}|t||krdSdS)a Check a TOTP value received from a principal trying to authenticate against the expected value computed from the secret shared between the principal and the authenticating entity. The Internet can be slow, and clocks might not match exactly, so some leniency is allowed. RFC6238 recommends looking an extra time step in either direction, which essentially opens the window from 30 seconds to 90 seconds. :param secret: The secret shared between the principal (eg a client) that is authenticating, and the authenticating entity (eg a server). :type secret: unicode :param ticket: The TOTP value to be checked. :type ticket: unicode :returns: ``True`` if the TOTP value is correct, else ``False``. :rtype: bool )rrvrTF)r)rzrPrs r*rrs9( \&&11 1 144 2 5r4ct|tkr/tdt|t|tkr/tdt| ddl}ddl}n#t $rtdwxYw|d|||d|jj j  S)Nz&secret must be of type unicode, not {}z%label must be of type unicode, not {}rzqrcode not installedz%otpauth://totp/{}?secret={}&issuer={})box_size image_factory) rrrr&qrcodeqrcode.image.svg ImportErrormakeimagesvgSvgImage to_string)rzlabelissuerrs r*rrs F||s@GGV UUVVV E{{c?FFtE{{SSTTT0  000.///0 ;;/66uffMMl&/  1 12;=s BB3rwct|tkrHt|tkr0t|tkrt|tkstd|d}|turtdt }t tt| ||||}| |S)a  Returns a binary digest for the PBKDF2 hash algorithm of ``data`` with the given ``salt``. It iterates ``iterations`` time and produces a key of ``keylen`` bytes. By default SHA-256 is used as hash function, a different hashlib ``hashfunc`` can be provided. :param data: The data for which to compute the PBKDF2 derived key. :type data: bytes :param salt: The salt to use for deriving the key. :type salt: bytes :param iterations: The number of iterations to perform in PBKDF2. :type iterations: int :param keylen: The length of the cryptographic key to derive. :type keylen: int :param hashfunc: Name of the hash algorithm to use :type hashfunc: str :returns: The derived cryptographic key. :rtype: bytes zInvalid argument typesNrz=pbkdf2 now takes the name of a hash algorithm for 'hashfunc=')rrr{rbackend) rbytesrr%callabler rgetattrr upperderive)datar{rrhashfuncrrs r*rrs, JJ%   JJ%      # # LLC  1222 8 K   G 3'&(.."2"23355     C ::d  r4crt|ttfvrtdt|ttfvrtdt|tkstdt|tkstdt|tkr|d}t|tkr|d}t ||||}tj| S)a  Computes a derived cryptographic key from a password according to PBKDF2. .. seealso:: http://en.wikipedia.org/wiki/PBKDF2 :param secret: The secret. :type secret: bytes or unicode :param salt: The salt to be used. :type salt: bytes or unicode :param iterations: Number of iterations of derivation algorithm to run. :type iterations: int :param keylen: Length of the key to derive in bytes. :type keylen: int :return: The derived key in Base64 encoding. :rtype: bytes z'secret' must be bytesz'salt' must be bytesz'iterations' must be an integerz'keylen' must be an integerr) rrrr%rrrrf b2a_base64strip)rzr{rrrks r*rr!s& LLS%L ( (1222 JJ3, & &/000    # #:;;; LLC  6777 F||sv&& DzzS{{6"" z6 2 2C  s # # ) ) + ++r4>ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ct|tksJddt|DdS)aw Generates a new random secret for use with WAMP-CRA. The secret generated is a random character sequence drawn from - upper and lower case latin letters - digits - :param length: The length of the secret to generate. :type length: int :return: The generated secret. The length of the generated is ``length`` octets. :rtype: bytes rc3HK|]}tjtVdSr.)randomchoiceWCS_SECRET_CHARSET).0rs r* zgenerate_wcs..\s-LL6=!344LLLLLLr4r)rrjoinrangerrs r*rrJsQ" <<3     77LLeFmmLLL L L S ST[ \ \\r4ct|ttfvsJt|ttfvsJt|tkr|d}t|tkr|d}t j||t j}tj | S)aY Compute an WAMP-CRA authentication signature from an authentication challenge and a (derived) key. :param key: The key derived (via PBKDF2) from the secret. :type key: bytes :param challenge: The authentication challenge to sign. :type challenge: bytes :return: The authentication signature. :rtype: bytes r) rrrrrrrrrrfrr)rkrAsigs r*rr_s 99e $ $ $ $  ??sEl * * * * CyyCjj   I#$$V,, (3 7> 2 2 9 9 ; ;C  s # # ) ) + ++r4emailrr{returnc ts Jdddlm}ddlm}|sWt j}||d|dd}t|dksJ||d|dd d d |j d }| d d\}}} } }} |dksJ| dksJdd| dDD} | d} tj| dtj} t jd| } tj| dtj}dt| dt| dt!j| dt!j|  dt!j| dd}|S)a? Derive WAMP-SCRAM credentials from user email and password. The SCRAM parameters used are the following (these are also contained in the returned credentials): * kdf ``argon2id-13`` * time cost ``4096`` * memory cost ``512`` * parallelism ``1`` See `draft-irtf-cfrg-argon2 `__ and `argon2-cffi `__. :param email: User email. :param password: User password. :param salt: Optional salt to use (must be 16 bytes long). If none is given, compute salt from email as ``salt = SHA256(email)[:16]``. :return: WAMP-SCRAM credentials. When serialized, the returned credentials can be copy-pasted into the ``config.json`` node configuration for a Crossbar.io node. zmissing dependency argon2rr r rNriirvrwrxryr$argon2idzv=19ci|]\}}|| Sr r )rrvs r* z+derive_scram_credential..s. Aq 1r4c8g|]}|dS)=)r)rxs r* z+derive_scram_credential..s"111!111r4,rrrrmt)rrrr{z stored-keyz server-key)rargon2.low_levelr rrrupdaterrlenrrrrrrrfb2a_hex)rrr{r rr!rrrrparamssalted_passwordrrr credentials r*rrws\( 111119,,,,,,%%%%%%  N   f%%&&&xxzz#2# t99???? v&&  W   I-6,<,r5s6   !!!!!!!! ******333333@@@@@@111111888888,,,,,,&&&&&&IIIII &:F& &&&*+++0 ###-----V---`'''.+,,,,999ddddddddN """*****&***Z $$$@@@@"####62===&0000f,,,,DV ]]]](,,,.??3?#?Xe_?X\??????sA##A-,A-